Subject: Re: Help with ALTQ and pf
To: None <current-users@netbsd.org>
From: Peter Postma <peter@pointless.nl>
List: current-users
Date: 05/22/2005 13:48:06
On Fri, May 20, 2005 at 12:19:59AM -0500, Dave Huang wrote:
> [ Didn't get any response from netbsd-help, so I'm trying my luck here :) ]
>
> I heard that to use ALTQ, pf is the way to go these days, so I applied
> the ALTQ patch from http://nedbsd.nl/~ppostma/pf/ to a netbsd-2 branch
> i386 kernel and installed security/pflkm from pkgsrc.
>
> I think I got the basic NAT and firewall part working, but I'm having
> trouble assigning packets to the queues. I take it that there's no
> separate pf.conf syntax to assign packets to queues; it just
> piggybacks on the pass/block filter syntax?
>
> I've set up priq for now, just as a simple test to start off with, and
> I want to give IPTOS_THROUGHPUT packets lower priority than normal. I
> thought "pass out on $ext_if tos throughput queue low" would be all I
> needed to put those packets on the "low" queue, but no packets are
> going there. Yet packets are going on the "hi" and "phone" queues,
> even though I have no rules directing packets there? (I have the
> queues defined as part of an earlier test, but my current pf.conf
> shouldn't be assigning any packets to those queues).
>
> My network setup is:
> rtk0: IP address 208.180.124.100, connected to a cable modem (bridge)
> to the Internet
> fxp0: IP address 10.1.1.67, connected to internal 10.1.1.0/24 LAN
>
> My pf.conf:
>
> ext_if="rtk0"
> int_if="fxp0"
>
> scrub in
>
> altq on $ext_if priq bandwidth 250Kb queue { low, std, med, hi, phone }
> queue low priority 3
> queue std priority 7 priq(default)
> queue med priority 10
> queue hi priority 14
> queue phone priority 15
>
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
>
> pass out keep state
> pass out on $ext_if tos throughput queue low
>
> pass quick on { lo $int_if }
> antispoof log quick for { lo $int_if }
>
> I started an ftp upload, then watched "pfctl -s queue -vv":
>
> queue low priority 3
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
> [ qlength: 0/ 50 ]
> [ measured: 0.0 packets/s, 0 b/s ]
> queue std priority 7 priq( default )
> [ pkts: 5043 bytes: 6945477 dropped pkts: 0 bytes: 0 ]
> [ qlength: 22/ 50 ]
> [ measured: 22.5 packets/s, 250.27Kb/s ]
> queue med priority 10
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
> [ qlength: 0/ 50 ]
> [ measured: 0.0 packets/s, 0 b/s ]
> queue hi priority 14
> [ pkts: 3 bytes: 220 dropped pkts: 0 bytes: 0 ]
> [ qlength: 0/ 50 ]
> [ measured: 0.0 packets/s, 0.31 b/s ]
> queue phone priority 15
> [ pkts: 18 bytes: 5364 dropped pkts: 0 bytes: 0 ]
> [ qlength: 0/ 50 ]
> [ measured: 0.0 packets/s, 101.47 b/s ]
>
> tcpdump confirms that the outgoing ftp data packets have tos 0x8, but
> the majority of the packets are still going to the default "std" queue.
>
> What's wrong? :)
>
To my understanding, you can't use a default keep state rule when using the
'tos' keyword. The problem is that a state doesn't check for the tos
value and when the tos changes to 0x08, the state for the connection already
exists.
It should work if you change the rule "pass out keep state" to
"pass out all".
I don't think it's a bug, rather a limitation of keep state...
--
Peter Postma